K Kilter · IT briefing One-page printable
← Full briefing
K

Kilter — Briefing for the Head of IT

A self-hosted reconciliation platform for correspondent-banking treasuries.
Version 1.0 (production)
Audience CIO / Head of IT
Reading time ~3 minutes
Kilter replaces the legacy nostro tool, removes IT from the daily extract-and-send loop, and ships with a modern security posture out of the box — TOTP MFA, encrypted secrets at rest, immutable audit log, no outbound telemetry, container-deployable. Production-ready · in pilot in Ghana · commercially available today.

The daily IT loop today

  1. 06:00. IT runs four hand-written extract scripts against four account lists (nostros, B2W/W2B, prepaid+charges, all GLs) on the core. SFTPs the .xlsx outputs to ops.
  2. Ops finds a missing file, wrong date, or wrong account. IT re-runs. 30–60 min slip.
  3. Corona-class tool of record. Sessions close daily; breaks roll forward on a manual Excel sheet owned by name.
  4. Audit asks "who cleared this on the 14th?" — answer is a filename and a memory.

Kilter removes step 1 entirely via the Core Pull add-on. IT authors the SQL templates once and locks them; ops + a dedicated it role pull from the web UI. Step 2 vanishes, step 3 becomes a first-class ledger, step 4 becomes an immutable audit log.

What ships today

  • Five roles · admin · it · ops · audit · internal_control
  • Core Pull add-on · Oracle (Flexcube / T24-on-Oracle), MS-SQL, MySQL, Postgres · pluggable drivers
  • Account Groups + .txt importer · mirrors today's per-class account lists
  • Pull Schedules · cron · ordered groups · stop-on-failure · Teams / email notify
  • Matching engine · 5 tiers · FX-aware · many-to-one · per-account config
  • Carry-forward open items · rolling ledger across sessions
  • Month-end certificates · maker / checker / approver · signed snapshot is immutable
  • TOTP MFA mandatory · optional LDAP / AD password layer · sliding-window sessions
  • Encrypted at rest · TOTP, SMTP, Core Pull DB credentials (Fernet)
  • Security headers · rate-limited login · 300 MB upload cap · auto-docs disabled in prod
  • Internal pentest passed · external attestation Q4 2026
  • Single Docker container · SQLite for pilots · MySQL for scale · air-gappable
  • No outbound telemetry · no update checks · no analytics

Vs. Corona / legacy tools

KilterLegacy
Self-service extracts Web UI · locked SQL templates · scheduled IT scripts on server, hand-spooled
Carry-forward Account-level ledger across sessions Manual Excel carry-forward sheet
Audit trail Every decision logged · immutable · queryable Per-screen, partial, no decision-level history
MFA & identity TOTP + optional LDAP · session revocation on role flip Often single-factor or SSO-dependent
Format support MT940/950, camt.053/054, any GL .xlsx via BYO column map Vendor-specific; expensive to extend
Change cycle Weeks · customer-driven add-ons Months to a year · vendor PS engagements
Deployment One Docker container · <1 day to install Fat install across DB / app / web tiers
Network footprint Inbound 443; outbound optional; no vendor callbacks Phones home for licence / telemetry / updates
Licensing Per-institution · Core Pull as priced add-on · in writing Per-seat, per-module · opaque, escalates

Honest about the trade-off. Corona has a 25-year track record, a SWIFT message warehouse, and deep switch integrations. Kilter is modern, focused, and IT-owned. Banks where reconciliation is one of many things IT manages tend to value the latter.

The pilot — four weeks

Week 1 · Stand up. Container on a 4 vCPU / 8 GB VM. LDAP test bind. Admin enrolled. One cash account added.
Week 2 · Author templates. IT writes the Core Pull SQL against the core's test instance. Locks templates. Account Groups mirror today's .txt files. it role assigned.
Week 3 · Run parallel. Same day's pulls via Kilter alongside the legacy spool-and-send. Confirm parity. ops role assigned.
Week 4 · Cut over. Cutover for that account class. Legacy script stays as a one-cycle fallback. IT exits the daily loop.

What IT validates before signing

  • Security posture · pentest summary · architecture note · external attestation Q4 2026
  • Deployment · docs/DEPLOY.md — container, reverse proxy, certs, backup, log rotation
  • Identity · docs/LDAP.md — AD bind shape, server-keyed TOTP enrolment
  • Core connectivity · driver matrix (DEPLOY.md §5c) — you supply read-only DB account & SQL
  • Data residency · everything stays in your VM · single SQLite file (or MySQL dump) is the backup
  • Commercial terms · Pilot / Core / Scale / Custom tiers · Core Pull $8K/yr add-on · +connectors $3K each
"I'd like fifteen minutes with your IT lead to walk through the security pack and the Core Pull integration. The goal is to validate whether Kilter fits the infrastructure pattern at [bank], not to sell — pricing is already in writing. If the answer is yes, we can stand up a sandbox in days."